| View previous topic :: View next topic |
| Author |
Message |
r1chardgreen
n00b
Joined: 10 Feb 2003
Posts: 43
|
 Posted: Fri Sep 03, 2004 5:27 am Post subject: adaptive firewall help |
 |
|
I run a web server which, occasionally, appears to be subject a simple attack from a single IP address at one time (varies geographically, could be a zombie, or perhaps a legitimate customer of ours who travels and has a broken system).
The errant client opens hundreds of connections per second (netstat shows these are established connections, which is why I wonder if it's just a broken system - it it was a DOS why bother to complete the connection).
Once all the 256 connections my Apache configuration allows, no other clients can connect to my web site.
To handle this sort of problem automatically rather than responding manually with the addition of an IP table rule I'd like to limit the rate at which client connections are accepted from a single IP address (allow a burst to a count of 50 connection within a couple of seconds, then back off and deny the IP address access for increasing periods of time). I think this should allow sufficient access for legitimate clients behind NAT devices.
This sounds like a job for a firewall but I don't really know where to start with creating an adaptive firewall that can do this.
What tools are available (and recommended) for detecting and managing this sort of problem without manual intervention?
Cheers
Richard |
|
| Back to top |
|
 |
nightblade
Guru
Joined: 20 Jul 2004
Posts: 368
Location: back from SE Asia
|
| Posted: Fri Sep 03, 2004 10:16 am Post subject: |
|
|
There is a plugin for Snort, that is specifically targeted in blocking IP addresses in response to attacks and other suspicious activity.
I have never experimented it, but you might want to give it a try 
http://www.snortsam.net/
Please let me know if it works !
_________________
In God we trust. All the others must provide a valid X.509 certificate |
|
| Back to top |
|
|
lwithers
Guru
Joined: 31 Dec 2003
Posts: 300
Location: Reading, UK
|
| Posted: Fri Sep 03, 2004 12:05 pm Post subject: |
|
|
| You can use a rate-limiting rule in iptables to do this. Once you have emerged iptables, do "man iptables" and search for "dstlimit" and "limit", which are the two rules you will use to do this. Note that you'll need to have compiled the relevant modules into your kernel in the netfilter configuration section. |
|
| Back to top |
|
|
r1chardgreen
n00b
Joined: 10 Feb 2003
Posts: 43
|
| Posted: Fri Sep 03, 2004 1:59 pm Post subject: |
|
|
lwithers:
| lwithers wrote: | | You can use a rate-limiting rule in iptables to do this. Once you have emerged iptables, do "man iptables" and search for "dstlimit" and "limit", which are the two rules you will use to do this. Note that you'll need to have compiled the relevant modules into your kernel in the netfilter configuration section. |
Ok, thanks, but I don't know the IP address of the attacking system until the attack happens, thus I can't just create a rule for that based upon the source addresss. I want to all traffic to continue from other peers. As I understand the man pages, without knowlege of the source of the attack, it isn't possible to use 'limit' on a per-host basis unless you actually know that host. (I could be wrong here....)
lightblade:
| Quote: | | There is a plugin for Snort, that is specifically targeted in blocking IP addresses in response to attacks and other suspicious activity. |
I had a look at the docs for this - I haven't used snort before, seems there is a lot to understand to configure correctly, which obviously is the first step before using the plug-in. However, the plug-in you mention does look like it will do what I want it to do.
How resource heavy is snort? I notice it logs a lot to disk - does it manage it's own clean-up of old logging data (I didn't see anything about that in the docs)?
Cheers
Richard |
|
| Back to top |
|
|
nightblade
Guru
Joined: 20 Jul 2004
Posts: 368
Location: back from SE Asia
|
| Posted: Fri Sep 03, 2004 2:24 pm Post subject: |
|
|
| r1chardgreen wrote: |
How resource heavy is snort? I notice it logs a lot to disk - does it manage it's own clean-up of old logging data (I didn't see anything about that in the docs)? |
I am NOT a snort guru (I have experimented with snort only for one week or two, and it was about 2 years ago), but, as far as I remember:
- The log management is fully customizable. I think you can choose not to log at all, except of course the episodes of excessive amounts of connections, so disk space shouldn't be an issue.
- The CPU-utilization depends on how much analysis you perform on the traffic, and that is very customizable too.
I think that if you have a spare web server where you can experiment for a few days, you might solve your problem without losing performance
_________________
In God we trust. All the others must provide a valid X.509 certificate |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Fri Sep 03, 2004 3:18 pm Post subject: |
|
|
I would say that snortsam is the ticket. I would first install snort, and see if it sees the activity.. if it can, you can control it via snortsam. Do you know if the DoS is just a connection.. or are they looking for a specific file, or are they trying to attack an existing exploit (ie cmd.exe, etc), etc?
To get snort, you'll need snort-2.2.0. There is a USE flag for snortsam in that version in portage.
| Code: | | ACCEPT_KEYWORDS="~x86" USE="snortsam" emerge -pv snort |
Here is a great how to on Snort Acid and MySQL
https://forums.gentoo.org/viewtopic.php?t=78718&highlight=snort+acid+howto
With snortsam you can block for x amount of minutes and apply it to an existing snort rule(s). You could also write a custom snort rule for this specific traffic... it is important that you find some consistency of the attack since IP changes.
I hope this helps
hanji |
|
| Back to top |
|
|
r1chardgreen
n00b
Joined: 10 Feb 2003
Posts: 43
|
| Posted: Fri Sep 03, 2004 11:57 pm Post subject: |
|
|
| hanji wrote: |
I hope this helps
|
All this helps thanks guys - I am going to give SNORT a go to get started, then try SNORTSAM if I determine the server is not unduly impacted.
Once I have news I'll update this thread.
Cheers
Richard |
|
| Back to top |
|
|
Minox
Apprentice
Joined: 12 Apr 2004
Posts: 188
Location: Germany / Munich
|
| Posted: Sat Sep 04, 2004 6:58 am Post subject: |
|
|
| lwithers wrote: | | You can use a rate-limiting rule in iptables to do this. Once you have emerged iptables, do "man iptables" and search for "dstlimit" and "limit", which are the two rules you will use to do this. Note that you'll need to have compiled the relevant modules into your kernel in the netfilter configuration section. |
I mean that you can also limit a service (e.g a port). You don't need the ip for. Otherways you could use QoS, but that needs a new kernel and some reading 
_________________
 proud to be 100% M$ free |
|
| Back to top |
|
|
|
Networking & Security
